Citrix Workspace app for Mac
Important
Before installing this version of Citrix Workspace app for Mac, confirm that the server or gateway
certificates are correctly configured as described here. Connections can fail if:
• the server or gateway configuration includes a wrong root certificate
• the server or gateway configuration does not include all intermediate certificates
• the server or gateway configuration includes an expired or otherwise invalid intermediate
certificate
• the server or gateway configuration includes a cross-signed intermediate certificate
When validating a server certificate, Citrix Workspace app for Mac now uses all the certificates sup-
plied by the server (or gateway) when validating the server certificate. As in previous Citrix Workspace
app for Mac releases, it then also checks that the certificates are trusted. If the certificates are not all
trusted, the connection fails.
This policy is stricter than the certificate policy in web browsers. Many web browsers include a large
set of root certificates that they trust.
The server (or gateway) must be configured with the correct set of certificates. An incorrect set of
certificates might cause Citrix Workspace app for Mac’s connection to fail.
Suppose that a gateway is configured with these validcertificates. This configuration is recommended
for customers who require stricter validation, by determining exactly which root certificate is used by
Citrix Workspace app for Mac:
• “Example Server Certificate”
• “Example Intermediate Certificate”
• “Example Root Certificate”
Then, Citrix Workspace app for Mac checks that all these certificates are valid. Citrix Workspace app
for Mac also checks that it already trusts “Example Root Certificate”. If Citrix Workspace app for Mac
does not trust “Example Root Certificate,” the connection fails.
Important
Some certificate authorities have more than one root certificate. If you require this stricter vali-
dation, ensure that your configuration uses the appropriate root certificate. For example, there
are currently two certificates (“DigiCert”/”GTE CyberTrust Global Root,” and “DigiCert Baltimore
Root”/”Baltimore CyberTrust Root”) that can validate the same server certificates. On some user
devices, both root certificates are available. On other devices, only one is available (“DigiCert
Baltimore Root”/”Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at
the gateway, Citrix Workspace app for Mac connections on those user devices fail. Consult the
certificate authority’s documentation to determine which root certificate must be used. Root
certificates eventually expire, as do all certificates.
© 1999‒2022 Citrix Systems, Inc. All rights reserved. 25